If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

backoffice

i just found a pc with a instances of mssql running on it named backoffice1. when i do a netstat it shows it connected to a public ip that belongs China Unicom according to the whois site. I am guessing its reload time but I want to learn from this. What can i do to see what is really going on or more about tracking down where it came from.

wireshark & tcpdump - on another pc

I would second the wireshark suggestion or using TCPDump to capture ... but from a different pc.

Create an isolated network ... give your "found" machine an ip that isn't part of your normal network, connect it directly to another PC sharing its internet connection (or *nix based firewall & routing) so that you can log *externally* to the machine in question, every packet ...

Look for packets that start a connection ... most commonly used protocols include user/pass/very interesting packets in the first few I/O attempts in any given session.

ie.. if you were looking at an email program (say Outlook for instance) .. then within the first 3 or 4 packets you'd see your Pop user & password in clear text .. first few packets going to a web server? you'd see the http GET request

so too, when you capture all packets, look back at the ip's and the ports used, id the unique or interesting destinations, then figure out the code being sent within the first 1 to 10 packets.. same every time? alternates? does it send the same packets to other targets? (ie. trying to reach C&C servers?) etc..